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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .1 7(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 8/3/09 
has been entered. 

Claims 1-10, 12, 14, 15, and 17-25 are pending. Claims 1-10, 13, 14, 15, and 
17-25 have been amended. 

Response to Amendment 
Specification 

The objection to the specification has been withdrawn due to the amendments. 

Claim Objections 

Claims 21-23 are objected to because of the following informalities: 
As per claim 21 , an authentication server is defined more than once. 
As per claim 22, a user terminal is defined more than once. 
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As per claim 23, an application server is defined more than once. 



Claim Rejections - 35 USC §112 

The 112 rejections have been withdrawn due to claim amendments. 



Response to Arguments 

Applicant's arguments filed 8/3/09 have been fully considered but they are not 
persuasive. The following interpretation of the prior art is solely based on the current 
set of claims and arguments submitted by the Applicant. It is not the only possible 
interpretation of the prior art and may be altered when/if the claims and/or arguments 
change. 

Applicant has asserted that the combination of Newcombe and Arnold fail to 
teach the allocation of the address as required by the claim. Examiner respectfully 
disagrees. This address allocation is explicitly taught by Arnold. Arnold teaches that an 
IP from a pool of address will be allocated to a client only after a successful 
authentication (pg.4, 2nd paragraph). This teaching is well known in the art as DHCP. 
Allocation of IP addresses to clients is how the Internet has grown because there simply 
aren't enough IP addresses for every client. Combining this known teaching into the 
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system of Newcombe is obvious because combining known methods which produce 
predictable results are within the capabilities of one skilled in the art. Newcombe 
teaches that the client IP address is the one which is incorporated into the ticket. 
Therefore when combining the teaching of Arnold into the system of Newcombe, it 
would be the allocated address which is cryptographically placed into the ticket once the 
user has been authenticated. Newcombe teaches a client is pre-authenticated before 
creating a ticket (see abstract). This coincides well with Arnold's teaching of 
authentication before granting an IP address. Furthermore this combination 
necessitates that the allocated IP be the source address of the client when contacting 
the content server and it is this address which has to be compared because it is stored 
within the ticket. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 



Claims 1, 5-10, 15, 17-21, 23-25 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Newcombe (US 2003/0172269 A1) in view of Arnold et al. (WO 
03/0551 70 A1 ), hereinafter Arnold. 
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As per claim 1 , Newcombe teaches the limitation of "an authentication system in 
which an authentication server which authenticates a user, a user terminal which 
transmits a user authentication information, and an application server which provides a 
service to the user through the user terminal are connected together to enable a 
communication there between through a network" (Fig. 1; page 2, paragraph 0025) as 
the system includes a client that desires access to a content server, application server, 
or the like. The authentication manager includes an application authentication server 
and ticket granting server. 

Further, Newcombe teaches the limitation of "authentication means for 
authenticating a user based on the user authentication information transmitted as an 
authentication request from the user terminal" (page 3, paragraph 0044) as Application 
Authentication Server (AAS) is configured to authenticate a user. 

Furthermore, Newcombe teaches the limitations of "a ticket issuing means for 
issuing a ticket containing the address allocated by the address allocating means" and 
"a ticket transmitting means for transmitting the ticket issued by the ticket issuing means 
to the user terminal" (page 4, paragraph 0044) as Application Authentication Server 
(AAS) is configured to provide the authenticated user one or more content tickets that 
enables authenticated user to access one or more content servers. The content ticket 
includes (page 4, paragraph 0048) the client's local and remote IP addresses. 

In addition, Newcombe teaches the limitation of "a user authentication 
information transmitting means for transmitting user authentication information to the 
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authentication server for purpose of an authentication request" (page 4, paragraph 
0052) as clients are enabled to request access to servers, such as content servers by 
requesting content tickets from AAS. Clients are enabled to provide information 
associated with local and remote IP addresses to AAS as part of the request for content 
tickets. 

Additionally, Newcombe teaches authentication information generating means for 
generating information for authentication from information including the allocated 
address (0025). 

Additionally, Newcombe teaches the limitation of "a ticket reception means for 
receiving a ticket transmitted from the authentication server" (page 5, paragraph 0064) 
as Authentication Server (AS) determines the user is a valid user and provides client 
with a Ticket Granting Ticket. Where AS is a part of AAS (page 4, paragraph 0054). 

Also, Newcombe teaches the limitations of "means for transmitting a packet 
including the ticket to the application server for establishing a session" and "a service 
request means for transmitting a packet requesting a service to the application server" 
(page 9, paragraph 01 13) as client is to be authenticated by the content server. Where 
(page 10, paragraph 0114) authenticator and ticket is sent to the server. 

Moreover, Newcombe teaches the limitation of "a ticket memory means for 
storing the ticket transmitted from the user terminal" (Fig. 4; page 4, paragraph 0056) as 
ADS is configured to provide storage for information associated with a client, user, 
ticket, and the like. 
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Newcombe teaches ticket verifying means for verifying the presence or absence 
of any forgery in the information for authentication in the ticket transmitted from the user 
terminal and storing the ticket in the ticket memory means in the absence of a forgery 
(0091 and 0125). 

Furthermore, Newcombe teaches the limitation of "an address comparison 
means for determining whether or not the address contained in the ticket which is stored 
in the ticket memory means coincides with the source address of the service request 
packet which is transmitted from the user terminal through the session" (page 4, 
paragraph 0048) as Content server is also configured to read its portion of the content 
ticket to verify whether the sending client should be enabled access to the requested 
content. Where Newcombe teaches the process of validation (page 10, paragraph 
01 17) as a ticket, including an encrypted modified authenticator, is received. The client's 
local and remote IP addresses are obtained, and the encrypted modified authenticator 
is decrypted. Further, (page 10, paragraph 01 19) a determination is made whether an 
remote IP address associated information provided be the client matches an IP address 
obtained by a variety of approaches, including a system call, examination of TCP/IP 
packets associated with the client, and the like. 

Finally, Newcombe teaches the limitation of "a service providing means for 
transmitting to the user a packet which provides a service to the user when a 
coincidence between the addresses is determined by the address comparison means" 
(page 4, paragraph 0045) as Content server may include virtually any electronic device 
capable of storing content and sending the content to a requesting device. 
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It is noted, however, that Newcombe does not teach the limitations of "an 
address allocating means for allocating an address to the user terminal for a successful 
authentication of the user", "means for setting up an address contained in the ticket as a 
source address for a packet which is to be transmitted from the user terminal." 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Arnold into the system of Newcombe to allow the 
AAS to keep full control of the IP address assignment process in view of the limited pool 
of available IP addresses. 

With respect to claim 5, Newcombe teaches the limitation of "authentication 
information generating means is configured to process the information including the 
allocated address" (0025) with a shared secret key which is shared beforehand between 
the authentication server and the application server" (page 6, paragraph 0068) as TGS 
is configured to receive the server readable portion of the TGT and modified 
authenticator from the user, and to provide a valid user with a content ticket that 
enables access to an identified content server. Furthermore, (page 6, paragraph 0071) 
the content ticket may include a server readable portion that is signed by a public 
encryption key associated with TGS. 
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In addition, Newcombe teaches the limitation of "the ticket verifying means of the 
application server configured to further verify information for authentication contained in 
the ticket using a shared secret key which is beforehand shared between the 
authentication server and the application server" (Fig. 13; page 10, paragraphs 0126 - 
0127) as a determination is made whether the client is authentic. If it is determined that 
the client is authentic, a determination is made whether information within the content 
ticket is valid. If the client is found not to be authentic or the information is not valid, an 
error message is sent to the client. Furthermore, (page 10, paragraph 01 14) the 
authentication used for client authentication is encrypted using the session key obtained 
from the authentication server. 

With respect to claim 6, Newcombe teaches the limitation of "the application 
server comprises an address collating means for collating the address in the ticket 
which is transmitted from the user terminal against the source address of the packet 
which includes the ticket and for preventing the ticket from being stored when a 
coincidence is not found" (Fig. 5; page 7, paragraph 0086 and 0087) as a client 
interacts with a Ticket Granting Server (TGS) to obtain a content ticket. If the client is 
unsuccessful, the processing ends. Where (page 10, paragraph 01 19) a determination 
is made whether an remote IP address associated information provided be the client 
matches an IP address obtained by a variety of approaches, including a system call, 
examination of TCP/IP packets associated with the client, and the like. 
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With respect to independent claim 7, Newcombe teaches the limitation of "An 
authentication server in an authentication system in which an authentication of a user 
utilizing a user terminal is performed through the user terminal by an authentication 
server and a request is made to an application server to provide a service on the basis 
of the authentication" (Fig. 1; page 2, paragraph 0025) as the system includes a client 
that desires access to a content server, application server, or the like. The 
authentication manager includes an application authentication server and ticket granting 
server. 

Further, Newcombe teaches the limitation of "a reception means for receiving an 
authentication request inclusive of a user authentication information and key information 
presenting a public key of the user terminal both transmitted from the user terminal" 
(page 3, paragraph 0044) as Application Authentication Server (AAS) is configured to 
authenticate a user. Where, (page 4, paragraph 0052) clients are enabled to request 
access to servers, such as content servers by requesting content tickets from AAS. 
Clients are enabled to provide information associated with local and remote IP 
addresses to AAS as part of the request for content tickets. 

Furthermore, Newcombe teaches the limitation of "an authentication means to 
which the user authentication information of the received authentication request is input 
and which authenticates the user on the basis of the user authentication information and 
providing a signal indicating a successful authentication upon a successful 
authentication" (page 5, paragraph 0064) as Authentication Server (AS) determines the 
user is a valid user and provides client with a Ticket Granting Ticket. Where AS is a part 
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of AAS (page 4, paragraph 0054) and (page 10, paragraph 01 15) a signal is provided 
that indicates whether the client is authentic or not. 

Additionally, Newcombe teaches authentication information generating means for 
generating information-for-authentication using at least the allocated address and the 
key information (0025 and 0029). 

In addition, Newcombe teaches the limitations of "a ticket issuing means for 
issuing a ticket containing the allocated address, the key information, and the 
information-for-authentication" (0025) and "and a ticket transmitting means to which the 
ticket is input and which transmits the ticket to the user terminal" (page 4, paragraph 
0044) as Application Authentication Server (AAS) is configured to provide the 
authenticated user one or more content tickets that enables authenticated user to 
access one or more content servers. The content ticket includes (page 4, paragraph 
0048) the client's local and remote IP addresses. 

It is noted, however, that Newcombe does not teach the limitation of "an address 
allocating means for allocating an address to the user terminal in response to an input 
of the signal indicating a successful authentication of the user." 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Arnold into the system of Newcombe to allow the 
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AAS to keep full control of the IP address assignment process in view of the limited pool 
of available IP addresses. 

With respect to claim 8, Newcombe teaches the limitation of "an authentication 
information generating means for generating an authentication information for 
information which includes at least the allocated address using a shared secret key 
which is beforehand shared between the authentication server and the application 
server" (page 4, paragraph 0044) as Application Authentication Server (AAS) is 
configured to provide the authenticated user one or more content tickets that enables 
authenticated user to access one or more content servers. The content ticket includes 
(page 4, paragraph 0048) the client's local and remote IP addresses. Furthermore, 
(page 5, paragraph 0065) the client readable portion [of the ticket] is signed with the 
private key of the authentication server. 

With respect to claim 9, Newcombe teaches the limitation of "the authentication 
server comprises a user identifier allocating means for allocating a user identifier which 
corresponds to the authenticated user in response to the authentication request for a 
successful authentication of the user" (page 4, paragraph 0057) as Authentication 
Server (AS) is enabled to authenticate a user. 

In addition, Newcombe teaches the limitations of "authentication information 
generating means is configured to process the information including the allocated 
address, the key information, and the user identifier to produce information for 
authentication and the ticket issuing means is configured to combine at least the 
information for authentication, the allocated address, the key information and the user 
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identifier to form the ticket" (0025) and "and a ticket transmitting means to which the 
ticket is input and which transmits the ticket to the user terminal" (page 4, paragraph 
0044) as Application Authentication Server (AAS) is configured to provide the 
authenticated user one or more content tickets that enables authenticated user to 
access one or more content servers. The content ticket includes (page 4, paragraph 
0048) the client's local and remote IP addresses. 

As per claim 10, Newcombe teaches the user identifier allocating means is 
configured to encrypt information which directly identifies the user by using an identifier 
generating secret key of the authentication server to produce the user identifier (0065). 

As per claim 15, Newcombe teaches an application server in an authentication 
system in which an authentication of a user utilizing a user terminal is performed by an 
authentication server and a request to provide a service is made to an application 
server on the basis of the authentication (0045); comprising 

a session establishing means for establishing a session with a user terminal in 
response to a reception of a session establishment request packet containing a ticket 
from the user terminal (0047); 

a ticket memory means in which a ticket transmitted from the user terminal is 
stored (0056); 

an address comparison means to which a source address of a service request 
packet which is transmitted from the user terminal and received through the established 
session is input and which determines whether or not the source address coincides with 
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the address of the user terminal contained in the ticket stored in the ticket memory 
means (0048); 

and a service providing means-which transmits packets for providing a service to 
the user to the user terminal when the output of the address comparison means 
indicates a coincidence (0045); 

wherein said session establishing means comprises ticket verifying means for 
verifying authenticity of the ticket, which is received through a packet from the user 
terminal for establishing the session, by checking the information for authentication 
contained in the ticket and preventing the ticket from being stored in the ticket memory 
means when verification is not successful (0049). 

It is noted, however, that Newcombe does not teach the limitation of "an 
allocated address". 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

With respect to claim 17, Newcombe teaches the limitation of "a session key 
generating means for calculating a session secret key which is shared with the user 
terminal from a private key of the application server and an public key of the user 
terminal" (paragraph 0029) as In one embodiment of the invention, for asymmetric 
encryption, 1024-bit keys may be used with RSA. These keys may be formatted 
according to the "OAEP (with SHA1 )" scheme provided by RSA, or any other formatting 
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appropriate. For example, RSA may be used in conjunction with a ticket (which is 
described in more detail below) to decrypt data in the ticket to recover an AES key that 
may then be used to decrypt other portions of a ticket. SHA1 stands for Secure Hash 
Algorithm 1 . SHA1 is a cryptographic hash algorithm that produces a 160-bit hash value 
from an arbitrary length string. In other embodiments of the invention, other private 
key/public key encryption algorithms may be used (such as the ones listed above) with 
the same or different key sizes. 

In addition, Newcombe teaches the limitation of "a packet verifying means for 
verifying whether or not a packet received from the user terminal is forged using the 
session secret key and for preventing the ticket from being stored in response to a 
verification output indicating the presence of a forgery" (page 5, paragraph 0065) as the 
server decrypts the server readable portion and extracts its copy of the session key, and 
uses that to decrypt the authenticator. If the authenticator is decrypted successfully then 
this proves beyond reasonable doubt that the client had the correct session key. 

As per claim 18, Newcombe teaches the ticket verifying means comprises 
collating means for verifying, when the received to which a packet which has been 
verified by the packet verifying means as not forged, whether or not the key information 
contained in the ticket corresponds to the public key of the user terminal which has 
been used in the calculation of the session secret key (0029). It is inherent that you 
must use the appropriate keys given one knows how the encryption process was done 
to verify the lack of forgery. 
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With respect to claim 19, Newcombe teaches the limitation of "the ticket verifying 
means is means which an authentication purpose shared secret key which is shared 
with the user terminal and a session dependent information which changes each time a 
session is established are input and which processes the session dependent 
information using the authentication purpose shared secret key, collates a result of the 
processing against the key information in the ticket and verifies the authenticity of the 
ticket by seeing whether or not a matching between the result of processing and the key 
information applies" (page 4, paragraph 0048) as Content server is also configured to 
read its portion of the content ticket to verify whether the sending client should be 
enabled access to the requested content. Where the client is authenticated using the 
modified authenticator, and (page 2, paragraph 0025) the modified authenticator 
includes a timestamp that is combined with a cryptographically strong digest of a 
concatenation of the local and remote IP addresses associated with the client. The 
modified authenticator is directed at binding the timestamp to a single client to minimize 
theft and reuse of an authenticator. 

With respect to claim 20, Newcombe teaches the limitation of "he ticket verifying 
means comprises means for verifying whether or not the source address of the received 
packet coincides with the address contained in the ticket within the packet and for 
preventing the ticket from being stored in response to a detection output which indicates 
a non-coincidence" (page 4, paragraph 0048) as Content server is also configured to 
read its portion of the content ticket to verify whether the sending client should be 
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enabled access to the requested content. Where Newcombe teaches the process of 
validation (page 10, paragraph 0117) as a ticket, including an encrypted modified 
authenticator, is received. The client's local and remote IP addresses are obtained, and 
the encrypted modified authenticator is decrypted. Further, (page 10, paragraph 0119) a 
determination is made whether an remote IP address associated information provided 
be the client matches an IP address obtained by a variety of approaches, including a 
system call, examination of TCP/IP packets associated with the client, and the like. 
Furthermore, (Figs. 5 and 1 3; page 1 0, paragraph 01 27) if the client is found not to be 
authentic or the information is not valid, an error message is sent to the client and the 
process returns to block 510 of Fig. 5, and consequently ends. 

With respect to claim 21 , it is rejected in view of the reasons stated in the 
rejection of independent claim 7. 

With respect to claim 23, it is rejected in view of the same reasons as stated in 
the rejection of independent claim 15. 

As per claim 24, Newcombe teaches the authentication server has a secret key 
and a public key for a digital signature (0029) and said ticket issuing means comprises: 

an authentication information generating means for computing a digital signature 
on the information including at least the allocated address using the secret key for the 
digital signature to produce the information for authentication so that the application 
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server can verify the presence or absence of any forgery in the information for 
authentication in the ticket using the public key of the authentication server (0030 and 
0065-66). 

As per claim 25, Newcombe teaches the authentication server has a secret key 
and a public key for digital signature (0029), and said ticket issuing means comprises: 
an authentication information generating means for computing a digital signature on the 
information including at least the allocated address using the secret key to produce the 
information for authentication so that the application server can verify the presence or 
absence of any forgery in the information for authentication in the ticket using the public 
key of the authentication server (0030 and 0065-0066). 

Claims 2-4 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Newcombe and Arnold as applied to claim 1 above, and further in view of USP 
Application Publication 2003/0163693 to Medvinsky. 

As per claim 2, Newcombe teaches the user terminal has a key information 
relating to a public key of the user terminal (0029-30). 

Newcombe teaches the limitation of "the ticket issuing means being means for 
issuing a ticket also containing the key information which is transmitted from the user 
terminal" (page 6, paragraph 0068) as Ticket Granting Server (TGS) is configured to 
receive the server readable portion of TGT and modified authenticator from the user, 
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and to provide a valid user with a content ticket that enables access to an identified 
content server. 

Further, Newcombe teaches the limitation of "the user authentication information 
transmitting means being means for transmitting the key information also together with 
the user authentication information" (page 4, paragraph 0052) as clients are enabled to 
provide information associated with local and remote IP addresses to AAS as part of the 
request for content tickets. Furthermore, (page 6, paragraph 0068) Ticket Granting 
Server (TGS) is configured to receive the server readable portion of TGT and modified 
authenticator from the user, where (page 6, paragraph 0072) the server readable 
portion may include information associated with the client's local and remote IP 
addresses, the user's account, lifetime parameter, a portion of application content, such 
as application title, version information or the like, and a session key. 

Furthermore, Newcombe teaches the limitations of "a first session key generating 
means for calculating a session secret key which is shared with the application server" 
and "a second session key generating means for calculating a second session secret 
key which is shared with the user terminal" (paragraph 0029) as in one embodiment of 
the invention, for asymmetric encryption, 1024-bit keys may be used with RSA. These 
keys may be formatted according to the "OAEP (with SHA1)" scheme provided by RSA, 
or any other formatting appropriate. For example, RSA may be used in conjunction with 
a ticket (which is described in more detail below) to decrypt data in the ticket to recover 
an AES key that may then be used to decrypt other portions of a ticket. SHA1 stands for 
Secure Hash Algorithm 1 . SHA1 is a cryptographic hash algorithm that produces a 160- 
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bit hash value from an arbitrary length string. In other embodiments of the invention, 
other private key/public key encryption algorithms may be used (such as the ones listed 
above) with the same or different key sizes. 

In addition, Newcombe teaches the limitation of "a packet cryptographic 
processing means for performing a processing upon a packet transmitted from the user 
terminal to guarantee that there is no forgery in the packet by the session secret key" 
(page 5, paragraph 0065) as client proves that it can decrypt the client readable portion 
be extracting the session key from client readable portion and using it to encrypt 
subsequent authenticators. 

Also, Newcombe teaches the limitations of "a packet verifying means for 
confirming whether or not the packet received from the user terminal is forged using the 
session secret key" and "a ticket verifying means for verifying whether or not the key 
information contained in the ticket of the packet which has been verified as not being 
forged is information relating to the private key of the user terminal" (page 5, paragraph 
0065) as the server decrypts the server readable portion and extracts its copy of the 
session key, and uses that to decrypt the authenticator. If the authenticator is decrypted 
successfully then this proves beyond reasonable doubt that the client had the correct 
session key. 

Finally, Newcombe teaches the limitation of "the ticket verifying means 
preventing the ticket from being stored in the ticket memory means when the key 
information is not relating information" (Fig. 5; page 7, paragraph 0086 and 0087) as a 
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client interacts with a Ticket Granting Server (TGS) to obtain a content ticket. If the 
client is unsuccessful, the processing ends. 

Newcombe and Arnold are silent in explicitly teaching the session keys are 
created using the private and public keys of the user terminal and the application server. 
Newcombe does teach using a session key between the client and server and that any 
algorithm could be used. The algorithm used in the claim is a well known Diffie-Hellman 
type (e.g. IKE, Oakley) key exchange. Medvinsky teaches this same type of key 
exchange with the use of tickets (001 3). It is obvious to one of ordinary skill to 
substitute known methods which produce predictable results. The combination of 
Medvinsky produces a well known and secure key exchange. 

With respect to claim 3, Newcombe teaches the limitation of "a transmission of 
the ticket from the user terminal takes place in terms of a packet" (Abstract) as a packet 
that includes the authenticator is sent to a server. 

In addition, Newcombe teaches the limitation of "an address collating means for 
collating the address in the ticket transmitted from the user terminal against the source 
address of the packet which includes the ticket and for preventing the ticket from being 
stored if a coincidence is not found" (Fig. 5; page 7, paragraph 0086 and 0087) as a 
client interacts with a Ticket Granting Server (TGS) to obtain a content ticket. If the 
client is unsuccessful, the processing ends. Where (page 10, paragraph 0119) a 
determination is made whether an remote IP address associated information provided 
be the client matches an IP address obtained by a variety of approaches, including a 
system call, examination of TCP/IP packets associated with the client, and the like. 
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With respect to claim 4, Newcombe teaches the limitation of "the authentication 
server comprises a user identifier allocating means for allocating a user identifier which 
corresponds to the authenticated user in response to the authentication request for a 
successful authentication of the user" (page 4, paragraph 0057) as Authentication 
Server (AS) is enabled to authenticate a user. 

In addition, Newcombe teaches the limitation of "the ticket issuing means being 
means for issuing the ticket inclusive of the user identifier" (page 5, paragraph 0064) if 
AS determines that the user is a valid user, AS provides the client with a ticket granting 
ticket, that typically includes a server readable portion, client readable portion, and an 
authenticator. 

Claims 12, 14, and 22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Newcombe in view of Arnold and Medvinsky. 

As per claim 12, Newcombe teaches a user terminal in an authentication system 
in which an authentication of a user utilizing a user terminal is performed by an 
authentication server and a request to provide a service is made to an application 
server on the basis of the authentication (0052), comprising: 

a ticket reception means for receiving a ticket transmitted from the authentication 
server (0064), key information presenting a public key of the user terminal (0029) and 
information-for-authentication produced by using at least the allocated address and the 
key information (0065); 
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a session establishing means to which the ticket is input and which transmits a 
first packet including the ticket to the application server for establishing a session with 
the application server (0047); 

a service request means for transmitting a second packet representing a service 
request to the application server through the established session (0046); 

a key information generating means to which a public key of the user terminal is 
input and which generates a key information relating to the public key of the user 
terminal (0025 and 0029); 

and a packet cryptographic processing means to which a packet to be 
transmitted from the user terminal and the session secret key are input and which 
applies a processing to the transmitted packet which guarantees that there is no forgery 
in the packet by the session secret key (0065); 

a user authentication information transmitting means configured to transmit the 
key information together with the user authentication information to the authentication 
server (0052 and 0072). 

It is noted, however, that Newcombe does not teach the limitations of "an 
address allocating means for allocating an address to the user terminal for a successful 
authentication of the user", "means for setting up an address contained in the ticket as a 
source address for a packet which is to be transmitted from the user terminal." 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
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authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Arnold into the system of Newcombe to allow the 
AAS to keep full control of the IP address assignment process in view of the limited pool 
of available IP addresses. 

Newcombe is silent in explicitly teaching the session keys are created using the 
private and public keys of the user terminal and the application server. Newcombe 
does teach using a session key between the client and server and that any algorithm 
could be used. The algorithm used in the claim is a well known Diffie-Hellman type (e.g. 
IKE, Oakley) key exchange. Medvinsky teaches this same type of key exchange with 
the use of tickets (001 3). It is obvious to one of ordinary skill to substitute known 
methods which produce predictable results. The combination of Medvinsky produces a 
well known and secure key exchange. 

As per claim 14, Newcombe teaches a user terminal in an authentication system 
in which an authentication of a user utilizing a user terminal is performed by an 
authentication server and a request to provide a service is made to an application 
server on the basis of the authentication (0052), comprising: 

a ticket reception means for receiving a ticket transmitted from the authentication 
server (0064), key information presenting a public key of the user terminal (0029) and 
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information-for-authentication produced by using at least the allocated address and the 
key information (0065); 

a session establishing means to which the ticket is input and which transmits a 
first packet including the ticket to the application server for establishing a session with 
the application server (0047); 

a service request means for transmitting a second packet representing a service 
request to the application server through the established session (0046); 

a key information generating means to which an authentication purpose shared 
secret key (0029) which is shared with the application server and a random number 
(timestamp) which changes each time (0025) a session is established are input and 
which generates a key information by processing random number by the authentication 
purpose shared secret key (0031 ); 

a key information generating means to which a public key of the user terminal is 
input and which generates a key information relating to the public key of the user 
terminal (0025 and 0029); 

and a packet cryptographic processing means to which a packet to be 
transmitted from the user terminal and the session secret key are input and which 
applies a processing to the transmitted packet which guarantees that there is no forgery 
in the packet by the session secret key (0065); 

a user authentication information transmitting means configured to transmit the 
key information together with the user authentication information to the authentication 
server (0052 and 0072); 
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the user authentication information transmitting means which is configured to 
transmit the key information the key information together with the user authentication 
information (0052 and 0072). 

It is noted, however, that Newcombe does not teach the limitations of "an 
address allocating means for allocating an address to the user terminal for a successful 
authentication of the user", "means for setting up an address contained in the ticket as a 
source address for a packet which is to be transmitted from the user terminal." 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Arnold into the system of Newcombe to allow the 
AAS to keep full control of the IP address assignment process in view of the limited pool 
of available IP addresses. 

Newcombe is silent in explicitly teaching the session keys are created using the 
private and public keys of the user terminal and the application server. Newcombe 
does teach using a session key between the client and server and that any algorithm 
could be used. The algorithm used in the claim is a well known Diffie-Hellman type (e.g. 
IKE, Oakley) key exchange. Medvinsky teaches this same type of key exchange with 
the use of tickets (001 3). It is obvious to one of ordinary skill to substitute known 
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methods which produce predictable results, 
well known and secure key exchange. 
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The combination of Medvinsky produces a 



With respect to claim 22, it is rejected in view of the same reasons as stated in 
the rejection of independent claim 12. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is 
(571 )270-731 6. The examiner can normally be reached on Monday - Thursday, 7:30am 
- 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, William Korzuch can be reached on 571-272-7589. The fax 
phone number for the organization where this application or proceeding is assigned is 
571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
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USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/M. R. V./ 

Examiner, Art Unit 2431 
/William R. Korzuch/ 

Supervisory Patent Examiner, Art Unit 2431 



